CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 20th, 2009

Ball State University Servers Breached Due To Vulnerable Microsoft’s Internet Information Services 6

Hackers have wasted no time targeting a gaping hole in Microsoft’s Internet Information Services webserver, according to administrators at Ball State University, who say servers that used the program were breached on Monday.

As of Wednesday morning California time, iWeb accounts at the Muncie, Indiana-based university remained inaccessible and service wasn’t expected to be restored until Thursday or Friday, Patty Lucas, a senior help desk support admin for Ball State’s Computing Services said. University administrators were working with Microsoft employees to investigate and fix the break in.

Microsoft representatives were investigating the breach Wednesday morning and not immediately available to comment on it.

On Monday, Microsoft confirmed what it called an “elevation of privilege vulnerability” in versions 5 and 6 of IIS when it runs an extension known as WebDAV. Microsoft said at the time it was unaware of any in-the-wild exploits of the vulnerability. The assessment was at odds with this warning in which the US Computer Emergency Response Team said it was aware of “publicly available exploit code and active exploitation of this vulnerability.”

The flaw is significant because it allows anyone with a web browser to list, access, and possibly upload files in a password-protected WebDAV folder on a vulnerable machine, according to Nikolaos Rangos, a security researcher who published his findings on Friday. The bug resides in the part of IIS that processes commands based on the WebDAV protocol.

By adding several unicode characters – specifically “%c0%af” – to a web address, attackers can trick the widely used webserver into accessing parts of the system that are supposed to be off limits to outsiders.

Microsoft’s advisory correctly points out that several conditions make the vulnerability hard to exploit in some cases. For one, WebDAV is not enabled by default in IIS6, and for another, intruders would not be able to exceed the privileges of an anonymous user. By default, such accounts are not permitted to upload files to a server.

But based on Lucas’s description, the Ball State hackers may have been able to do just that. Shortly after the attack, students checking their iWeb pages were greeted with a message that said they had been hacked. There are no indications any data was stolen or malicious files uploaded, she said.

Credit: The Register

Update (May 22): Network administrators at Ball State University have retracted their claims that a campus website was brought down by a zero-day vulnerability in Microsoft’s Internet Information Services webserver.

“Microsoft and Ball State now have identified the cause of the breach [as] a Ball State iWeb user [who] either misused or allowed the misuse of their account, and that was determined just this afternoon,” Ball State University spokesman Tony Proudfoot said on Thursday.

Share this item with others:

More on CyberInsecure:
  • CTW Library Consortium Computers Containing A Database Breached By Hackers
  • University Of Massachusetts Amherst’s Health Services Network Breached By Hackers
  • Southern Connecticut State University Warns Of Data Breach After Web Defacement
  • Fake Microsoft-like Sites Attempt To Install Malware
  • Oklahoma State University Parking Services Server Compromised

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Ball State University Servers Breached Due To Vulnerable Microsoft’s Internet Information Services 6

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.